White-box cryptography is aimed at protecting secret keys from being disclosed in a software implementation of a cryptographic or secure function. In such a context, it is assumed that the attacker (usually a “legitimate” user or malicious software) may also control the execution environment of the software implementation. This is in contrast with the more traditional security model where the attacker is only given a black-box access (i.e., inputs/outputs) to the cryptographic function under consideration.
The main idea of white-box implementations is to rewrite a key-instantiated version so that all information related to the key is hidden in the software implementation of the cryptographic or secure function. In other words, for each secret key, a key-customized software is implemented so that the key input is unnecessary. In other embodiments, the secret key may be an input to the white-box implementation. In such a case the key may be encoded.
Most symmetric block-ciphers, including the AES and the DES, are implemented using substitution boxes and linear transformations. Imagine that such a cipher is white-box implemented as a huge lookup table taking on input any plaintext and returning the corresponding ciphertext for a given key. Observe that this white-box implementation has exactly the same security as the same cipher in the black-box context: the adversary learns nothing more than pairs of matching plaintexts/ciphertexts. Typical plaintexts being 64-bit or 128-bit values, such an ideal approach cannot be implemented in practice because of the size of the resulting lookup table.
Current white-box implementations apply the above basic idea to smaller components of the cryptographic function. These white-box implementations represent each component as a series of lookup tables and insert random input and output objective encodings on the lookup tables to introduce ambiguity, so that the resulting algorithm appears as the composition of a series of lookup tables with randomized values.
To add further protection, external (key-independent) encodings may be used by replacing the encryption function EK (respectively, decryption function EK−1) with the composition E′K=G∘EK∘F−1 (respectively, E′K−1=F∘EK−1∘G−1). Input encoding function F and output decoding function G−1 (respectively, G and F−1) should not be made available on the platform that computes E′K (respectively, E′K−1) so that the white-box implementation cannot be used to compute EK (respectively, EK−1). Although the resulting implementation is not standard, such an approach is reasonable for many applications.